Hi i have problem.
I am trying to run apache2 on a public ip address. I set it to router forwarding. However, I still have a problem and I can’t see apache on the public IP. It works on the internal without any problems. The port scan shows me that it is filtered and closed.
I have both antivirus and firewall defender suspended on my computer. What more can I do?
I also tried port mapping and it gave me an error. I am attaching the pictures.
First, please post the images here instead of on an external site.
The rule states an inbound interface whose name is “all wire…” - is that your internal (LAN) or external (WAN) interface? Given that the masquerade rule has an outgoing interface of “pppoe-…”, I suspect the in-interface you set in that rule is your internal interface and not the external, in which case you have to change it (See below).
Also, What default route does your server have? I see you have two interfaces, which one is used for the return packets? The firewall and NAT are stateful and expect things to come back the same way they were sent.
Stupid question, but do you have a firewall rule that allows the traffic to your internal server (note: using the real IP, not the external)?
Lastly, if you try from the inside using the external IP, you will need to set up a hairpin NAT, which I do not see in your configuration.
Regarding the source NAT: the in-interface describes the interface which receives the packet prior to translation. In the case of a source-nat to present stuff to the Internet, the in-interface is the Internet side.
Can you send the output of the following commands, and please put that between “code” tags.
/ip firewall filter export
/ip firewall nat export
/interface list export
first of all i want to thank you for your time.
The thing is that I have a linux apache2 on my machine. On Windows and on Kali Linux, I am connected to the same WiFi network with an external WiFi adapter. I am adding more pictures to give you information.
The ip/firewall/nat table is changed from the internet provider and a static ip address is added.
It still doesn’t work.
sorry, I can’t control some things.
I will send more information if necessary.
here are images and exports
/ip firewall nat export
# 2024-02-04 22:31:43 by RouterOS 7.11.2
# software id = **ELIDED**
#
# model = RBD52G-
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-address=**ELIDED** dst-port=80 protocol=\
tcp src-port="" to-addresses=192.168.0.125 to-ports=80
add action=dst-nat chain=dstnat dst-address= **ELIDED** dst-port=8080 \
protocol=tcp to-addresses=192.168.0.125 to-ports=8080
add action=dst-nat chain=dstnat dst-address= **ELIDED** dst-port=3000 \
protocol=tcp to-addresses=192.168.0.125 to-ports=3000
Thanks for posting here.
Note that you haven’t posted all I asked.
Regarding your test, I suspect you are trying from the same network as your server is on. This cannot work as is, as this needs hairpin NAT.
For all to work correctly, your NAT rule should look like this. Replace with your actual public IP.
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.125
add action=dst-nat chain=dstnat dst-address=<PUBLIC IP> dst-port=80 protocol=tcp\
to-addresses=192.168.0.125 to-ports=80
add action=dst-nat chain=dstnat dst-address= <PUBLIC IP> dst-port=8080 \
protocol=tcp to-addresses=192.168.0.125 to-ports=8080
add action=dst-nat chain=dstnat dst-address= <PUBLIC IP> dst-port=3000 \
protocol=tcp to-addresses=192.168.0.125 to-ports=3000
On the server, make sure port 80 is listening (ss -atn)
I’m sorry, but the admin edited and deleted the things you requested from me.
I don’t know how else to give you that information.
I had a given public ip address there
80.87.200.xxx
I checked the apache server on another public ip address (97.120.95.XXX).
Shouldn’t port 80 be enabled and started in the IP service list? In the photo I sent you, only port 8291 is open.
No, this is list of services provided by router (port 80 is used for WebFix … since you’re using WinBox, you probably don’t need WebFig). NAT has no relation with the list on this screen shot.
I noted that your WAN type is pppoe. Typically that is a dynamic IP, not static.
Please confirm if your IP indeed does not change.
If it indeed static, vingjfg dst-nat rules are correct. I personally prefer a wider hairpin nat rule,
to account for potentially more servers and users involved. To- ports are not required if same as dst-ports.
Finally if static, then a more accurate sourcenat rule is also provided, although the other works fine as well and some would say,
the masquerade approach is better in multiple WAN scenarios as if one WAN fails, the old connection are cleared faster with sourcenat.
/ip firewall nat
add action=src-nat chain=srcnat out-interface=pppoe-out1 to-address=WANIP-static
add action=masquerade chain=srcnat src-address=192.168.0.0/24 dst-address**=192.168.0.0/24** comment=“hairpin nat rule”
add action=dst-nat chain=dstnat dst-address= dst-port=80 protocol=tcp
to-addresses=192.168.0.125 t
add action=dst-nat chain=dstnat dst-address= dst-port=8080
protocol=tcp to-addresses=192.168.0.125
add action=dst-nat chain=dstnat dst-address= dst-port=3000
protocol=tcp to-addresses=192.168.0.125